Description

The SanDisk Sansa e200 series has a 20MB hidden firmware partition. It holds both the bootloader and main firmware. This partition is hidden by e200r firmwares.

The partition is 20MB and is at the end of the disk. It doesn't have any partition table, but has files at specific address locations inside it. Each file has a 512B (1 sector) header which has a 4 character string describing its contents, followed by a 32-bit little endian number indicating the length of the file in bytes. There is then a 32 bit number with an unknown purpose.

Structure

Addresses are relative to the start of the partition. The partition is divided up into 3 block. The first block is 512KB for the bootloader. The last 5MB of the partition is for the ppfn (image?) data. The remaining space in between is used for the main firmware.

Use dd to dump the entire 20MB partition (partition 1), /dev/sdc is the block device name of the Sansa (this even works under Cygwin), notice how the "skip" argument is filled with the start sector of the partition:

Check the dumped partition with your favorite hex-editor. It should start with "PPBL". If it doesn't, you may have accidentally dumped some data from another device. In that case, change "/dev/sdc" to something else.